diff options
author | Nicolas LÅ“uillet <nicolas@loeuillet.org> | 2015-06-01 15:49:49 +0200 |
---|---|---|
committer | Nicolas LÅ“uillet <nicolas@loeuillet.org> | 2015-06-01 15:49:49 +0200 |
commit | 2878416f8b4d94fb5e64c2fa61861526a7654d3d (patch) | |
tree | cbdf2d95ecdb651e2003747a28572c35b6c9da64 /src/Wallabag/ApiBundle/Security | |
parent | 98510a4189186c8dcc3f1bf38843d935ed3d1859 (diff) | |
parent | 4346a86068781f4acdeb574d7e2af08b77b58ea7 (diff) | |
download | wallabag-2878416f8b4d94fb5e64c2fa61861526a7654d3d.tar.gz wallabag-2878416f8b4d94fb5e64c2fa61861526a7654d3d.tar.zst wallabag-2878416f8b4d94fb5e64c2fa61861526a7654d3d.zip |
Merge pull request #1167 from wallabag/v2-api-bundle
Move API stuff in ApiBundle
Diffstat (limited to 'src/Wallabag/ApiBundle/Security')
3 files changed, 165 insertions, 0 deletions
diff --git a/src/Wallabag/ApiBundle/Security/Authentication/Provider/WsseProvider.php b/src/Wallabag/ApiBundle/Security/Authentication/Provider/WsseProvider.php new file mode 100644 index 00000000..db73ae2a --- /dev/null +++ b/src/Wallabag/ApiBundle/Security/Authentication/Provider/WsseProvider.php | |||
@@ -0,0 +1,79 @@ | |||
1 | <?php | ||
2 | |||
3 | namespace Wallabag\ApiBundle\Security\Authentication\Provider; | ||
4 | |||
5 | use Symfony\Component\Security\Core\Authentication\Provider\AuthenticationProviderInterface; | ||
6 | use Symfony\Component\Security\Core\User\UserProviderInterface; | ||
7 | use Symfony\Component\Security\Core\Exception\AuthenticationException; | ||
8 | use Symfony\Component\Security\Core\Exception\NonceExpiredException; | ||
9 | use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; | ||
10 | use Wallabag\ApiBundle\Security\Authentication\Token\WsseUserToken; | ||
11 | |||
12 | class WsseProvider implements AuthenticationProviderInterface | ||
13 | { | ||
14 | private $userProvider; | ||
15 | private $cacheDir; | ||
16 | |||
17 | public function __construct(UserProviderInterface $userProvider, $cacheDir) | ||
18 | { | ||
19 | $this->userProvider = $userProvider; | ||
20 | $this->cacheDir = $cacheDir; | ||
21 | |||
22 | // If cache directory does not exist we create it | ||
23 | if (!is_dir($this->cacheDir)) { | ||
24 | mkdir($this->cacheDir, 0777, true); | ||
25 | } | ||
26 | } | ||
27 | |||
28 | public function authenticate(TokenInterface $token) | ||
29 | { | ||
30 | $user = $this->userProvider->loadUserByUsername($token->getUsername()); | ||
31 | |||
32 | if (!$user) { | ||
33 | throw new AuthenticationException('Bad credentials. Did you forgot your username?'); | ||
34 | } | ||
35 | |||
36 | if ($user && $this->validateDigest($token->digest, $token->nonce, $token->created, $user->getPassword())) { | ||
37 | $authenticatedToken = new WsseUserToken($user->getRoles()); | ||
38 | $authenticatedToken->setUser($user); | ||
39 | |||
40 | return $authenticatedToken; | ||
41 | } | ||
42 | |||
43 | throw new AuthenticationException('The WSSE authentication failed.'); | ||
44 | } | ||
45 | |||
46 | protected function validateDigest($digest, $nonce, $created, $secret) | ||
47 | { | ||
48 | // Check created time is not in the future | ||
49 | if (strtotime($created) > time()) { | ||
50 | throw new AuthenticationException('Back to the future...'); | ||
51 | } | ||
52 | |||
53 | // Expire timestamp after 5 minutes | ||
54 | if (time() - strtotime($created) > 300) { | ||
55 | throw new AuthenticationException('Too late for this timestamp... Watch your watch.'); | ||
56 | } | ||
57 | |||
58 | // Validate nonce is unique within 5 minutes | ||
59 | if (file_exists($this->cacheDir.'/'.$nonce) && file_get_contents($this->cacheDir.'/'.$nonce) + 300 > time()) { | ||
60 | throw new NonceExpiredException('Previously used nonce detected'); | ||
61 | } | ||
62 | |||
63 | file_put_contents($this->cacheDir.'/'.$nonce, time()); | ||
64 | |||
65 | // Validate Secret | ||
66 | $expected = base64_encode(sha1(base64_decode($nonce).$created.$secret, true)); | ||
67 | |||
68 | if ($digest !== $expected) { | ||
69 | throw new AuthenticationException('Bad credentials ! Digest is not as expected.'); | ||
70 | } | ||
71 | |||
72 | return $digest === $expected; | ||
73 | } | ||
74 | |||
75 | public function supports(TokenInterface $token) | ||
76 | { | ||
77 | return $token instanceof WsseUserToken; | ||
78 | } | ||
79 | } | ||
diff --git a/src/Wallabag/ApiBundle/Security/Authentication/Token/WsseUserToken.php b/src/Wallabag/ApiBundle/Security/Authentication/Token/WsseUserToken.php new file mode 100644 index 00000000..e6d30224 --- /dev/null +++ b/src/Wallabag/ApiBundle/Security/Authentication/Token/WsseUserToken.php | |||
@@ -0,0 +1,24 @@ | |||
1 | <?php | ||
2 | |||
3 | namespace Wallabag\ApiBundle\Security\Authentication\Token; | ||
4 | |||
5 | use Symfony\Component\Security\Core\Authentication\Token\AbstractToken; | ||
6 | |||
7 | class WsseUserToken extends AbstractToken | ||
8 | { | ||
9 | public $created; | ||
10 | public $digest; | ||
11 | public $nonce; | ||
12 | |||
13 | public function __construct(array $roles = array()) | ||
14 | { | ||
15 | parent::__construct($roles); | ||
16 | |||
17 | $this->setAuthenticated(count($roles) > 0); | ||
18 | } | ||
19 | |||
20 | public function getCredentials() | ||
21 | { | ||
22 | return ''; | ||
23 | } | ||
24 | } | ||
diff --git a/src/Wallabag/ApiBundle/Security/Firewall/WsseListener.php b/src/Wallabag/ApiBundle/Security/Firewall/WsseListener.php new file mode 100644 index 00000000..50587837 --- /dev/null +++ b/src/Wallabag/ApiBundle/Security/Firewall/WsseListener.php | |||
@@ -0,0 +1,62 @@ | |||
1 | <?php | ||
2 | |||
3 | namespace Wallabag\ApiBundle\Security\Firewall; | ||
4 | |||
5 | use Symfony\Component\HttpFoundation\Response; | ||
6 | use Symfony\Component\HttpKernel\Event\GetResponseEvent; | ||
7 | use Symfony\Component\Security\Http\Firewall\ListenerInterface; | ||
8 | use Symfony\Component\Security\Core\Exception\AuthenticationException; | ||
9 | use Symfony\Component\Security\Core\SecurityContextInterface; | ||
10 | use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface; | ||
11 | use Wallabag\ApiBundle\Security\Authentication\Token\WsseUserToken; | ||
12 | use Psr\Log\LoggerInterface; | ||
13 | |||
14 | class WsseListener implements ListenerInterface | ||
15 | { | ||
16 | protected $securityContext; | ||
17 | protected $authenticationManager; | ||
18 | protected $logger; | ||
19 | |||
20 | public function __construct(SecurityContextInterface $securityContext, AuthenticationManagerInterface $authenticationManager, LoggerInterface $logger) | ||
21 | { | ||
22 | $this->securityContext = $securityContext; | ||
23 | $this->authenticationManager = $authenticationManager; | ||
24 | $this->logger = $logger; | ||
25 | } | ||
26 | |||
27 | public function handle(GetResponseEvent $event) | ||
28 | { | ||
29 | $request = $event->getRequest(); | ||
30 | |||
31 | $wsseRegex = '/UsernameToken Username="([^"]+)", PasswordDigest="([^"]+)", Nonce="([^"]+)", Created="([^"]+)"/'; | ||
32 | if (!$request->headers->has('x-wsse') || 1 !== preg_match($wsseRegex, $request->headers->get('x-wsse'), $matches)) { | ||
33 | return; | ||
34 | } | ||
35 | |||
36 | $token = new WsseUserToken(); | ||
37 | $token->setUser($matches[1]); | ||
38 | |||
39 | $token->digest = $matches[2]; | ||
40 | $token->nonce = $matches[3]; | ||
41 | $token->created = $matches[4]; | ||
42 | |||
43 | try { | ||
44 | $authToken = $this->authenticationManager->authenticate($token); | ||
45 | |||
46 | $this->securityContext->setToken($authToken); | ||
47 | |||
48 | return; | ||
49 | } catch (AuthenticationException $failed) { | ||
50 | $failedMessage = 'WSSE Login failed for '.$token->getUsername().'. Why ? '.$failed->getMessage(); | ||
51 | $this->logger->err($failedMessage); | ||
52 | |||
53 | // Deny authentication with a '403 Forbidden' HTTP response | ||
54 | $response = new Response(); | ||
55 | $response->setStatusCode(403); | ||
56 | $response->setContent($failedMessage); | ||
57 | $event->setResponse($response); | ||
58 | |||
59 | return; | ||
60 | } | ||
61 | } | ||
62 | } | ||